Survey reveals the scope of 'shadow IT'
Nine organisations covering 25,000 users are clueless on an important score. With special feature audio.
Nine organisations covering 25,000 users are clueless on an important score. With special feature audio.
Cloud services are hot but are they also out of control as staff use personal accounts on the likes of Dropbox and Apple iCloud for work, and IT staff are ignorant of the location cloud data is stored, or just which cloud services are being used?
A new survey of nine public and private organisations, with a total of 25,000 employees, indicates they are.
Resultex, the Wellington-based IT services consultancy that carried it out, says data from the survey indicates chief information officers (CIOs) are unaware of a staggering 90% of cloud-based services in their organisations.
And of those rogue cloud services, 6% are considered high risk, meaning they could result in data theft.
Resultex cloud adoption services head Robin Whitaker says the survey reveals the size of what he calls "shadow IT" for New Zealand organisations.
Shadow IT refers to information technology projects and apps that are managed and accessed outside of, and without the knowledge of, the IT department.
During the audit, Resultex found that the average organisation had more than 720 cloud services running, with nearly 6% of these service being considered high risk.
Resultex, which has partnered with Skyhigh Networks, compared the cloud services in use to the 15,000 services in the Skyhigh global risk register, which assesses each service against 50 attributes in areas such as data risk, service and business risk.
Findings included:
While it's debatable if simply using a service like HR based outside New Zealand is a security threat, it's concerning that many of those surveyed were ignorant of where cloud services physically stored their data (a government-funded project led by Waikato University is seeking to create tools for tracking cloud data around the planet, and when it's accessed).
“From a security point of view, it’s concerning when both private businesses and government organisations are unaware of how many services are running, where the data sent to these services is stored or who owns the data after it is uploaded,” Mr Whitikar says.
“More than 600 of the services in use did not have a policy on ownership of data, which opens up the possibility for these services to use an organisation's data for their own purposes," he says.
The survey found the average organisation has: